Health Law Advisor

Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts. Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect. 

Over the next year, the following laws will become effective:

1. Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
2. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
3. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
4. Nebraska Data Privacy Act (effective Jan. 1, 2025)
5. New Hampshire Privacy Act (effective Jan. 1, 2025)
6. New Jersey Data Privacy Act (effective Jan. 15, 2025)
7. Tennessee Information Protection Act (effective July 1, 2025)
8. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
9. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here.  All nine laws listed above contain the following familiar requirements:

Late last year, the case Shannon MacDonald, MD, et al v. Otto Sabando was filed in the U.S. District Court for the District of New Jersey. The plaintiffs claimed that New Jersey’s licensure restrictions on the use of telehealth were unconstitutional as they infringe on basic civil rights everyone has and therefore should be struck down. However, the defendants argued that the licensure of physicians is within the jurisdiction of states to decide and regulate such that New Jersey’s licensure laws do not violate the U.S. Constitution. EBG discussed the initial arguments in this ...

Healthcare organizations continue to be prime targets of cyberattacks. It is well-established that cyberattacks can lead to financial loss, reputational damage, and, in some cases, risks to patient care and safety. The recent and well-publicized cybersecurity incident affecting Change Healthcare further evidences these risks. As a result of the widespread and disruptive impact of this most recent cyberattack on the healthcare ecosystem, on March 5, 2024 the U.S. Department of Human Services (HHS) issued a public statement and has also announced that it opened an ...

Use of telehealth services has surged since the COVID-19 pandemic; however, this increase in use does not come without limitations. Telehealth providers are subject to regulations, which differ by state, that govern various aspects of providing services via telemedicine, including what types of health care providers can provide telehealth services, what services can be provided via telehealth, and where providers must be located in order to provide telehealth services to a patient. A requirement consistent across most states is that providers engaging in telehealth services ...

New York Governor, Kathy Hochul, recently announced proposed cybersecurity rules for New York hospitals, which are due to be imminently published in the State Register on December 6, 2023, subject to approval by the Public Health and Health Planning Council.  The Governor’s press release indicates the proposed regulations, if enacted, will require New York hospitals to meet at least the following requirements: 

• Establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks;
• Develop a response plan for potential cybersecurity ...

On June 16, 2023, Nevada enacted Senate Bill 370 (“SB 370”), which imposes broad restrictions on the collection, use, and sale of consumer health data. This law is set to go into effect on March 31, 2024.

On June 8, 2023, the New York City Council passed a bill focused on healthcare accountability, with the goal of increasing access to healthcare services for New Yorkers. Entitled the Healthcare Accountability & Consumer Protection Act (the “Act”), this legislation includes Introduction 844, which establishes an Office of Healthcare Accountability, whose work would allow patients to see through a website what they would be charged for procedures at hospitals throughout New York City. As part of the Act, this Office would also report on insurance and pharmaceutical pricing, as well as monitor the amount of money the City is spending on healthcare services. In addition, the Act includes Resolution 512, which calls on New York State to create an independent commission to oversee hospital pricing and to increase access to healthcare services. This local law, referred to as Local Law 78, was signed by Mayor Adams on June 23, 2023, and will be effective beginning on February 22, 2024.